When I set up the DSL account with Earthlink, I used my dad's name for it. The e-mail address I requested was his first and middle initials, plus the last name. Apparently, there was someone else, prior, who had the same name and same e-mail address, but had the service terminated for one reason or another.
Within a day of getting the e-mail set up, I started getting messages for this other gentleman. Now, nearly a year later, I have approximately a year's worth of monthly "Continental Airlines One-Pass" statements in my inbox.
I noticed that in these messages there was a link to their website. For the heck of it, I clicked the link. The link took me to a login screen, which funny enough, had a "forgotten password" recovery link.
When I clicked the password recovery link, I was surprised at what little information they required to reset the password: just the e-mail address. They would reset the password and e-mail the new one to the account specified.
I didn't follow through, but think about the privacy concerns for the other gentleman. It would have been so easy for me to get all kinds of information about him through just that one account reset!
So what else was I to do but be the nice "white-hat" and e-mail Continental Airlines' abuse department about it.
I am currently receiving monthly OnePass statements in my inbox, but I have never had an account of any sort with your company. I do know that the previous holder of my email account had the same last name as me, and that I have received some of his messages. I feel that it is a great violation of his privacy for his statements to be sent to me on a monthly basis. I do know that I could easily use the links in the messages you send to access his account and personal information, which I view as a very big security flaw as well. Rather than using the "unsubscribe" options in the messages you send, I feel that it would be much safer for one of your representatives to MANUALLY disable the monthly statements from being sent to my email address. I sincerely hope this message finds its way to an individual who will take it seriously and rectify the situation.
Their reply shocked me:
Thank you for contacting the OnePass Service Center. The name on the account we have on record with this email address is EDITED OUT. We can't alter the information. If Earthlink has given this email address to two different people with the same last name, you will need to go online and request that you want to discontinue email subscription. Lola Lathon-Graham OnePass Service Center
Unfortunately, to unsubscribe you must also login to the account, which again opens up this individual's personal information to a complete stranger.
Personally, seeing how their technical department handled it, I'd not feel safe flying on their airlines, for fear of what other security flaws they have in their procedures.
Wow... did they even read your email?
If an organization as large as an airline can't manage user privacy, what about a few sites I buy computer equipment from, and my information they undoubtedly have on file?
- Posted by Siplus (Guest) on September 9, 2006 at 10:09:03PM
it is possible that there are other secuirty measures they use
there are a few places that ask you how you would like to recover your password, giving you a choice of a secret question, or notification by email
people are dumb, and dont think about security, so they chose whatever is easiest.
- Posted by macguy (Guest) on September 10, 2006 at 12:16:18AM
Right. But at the same time, if you get mail from a collection agency because of a deliquent payment, but the letter is addressed to someone else at your address, what do you do? Most people contact the collection agency and inform them that the previous occupant is no longer living there, and the deliquency notices are stopped. That's what I attempted with Continental, and they basically refused to correct the situation.
I am 90% positive that if I do request the password to be reset and change the e-mail notification options, I will be violating numerous privacy policies, if not the law. But yet, asking the company to correct the issue on their part, I get told that it's my responsibility.
I'd rather not be marked as a terrorist, thank you.
- Posted by tim (Guest) on September 10, 2006 at 03:38:59PM